Blog
Security10 Jul 2026

Harvest now, decrypt later: why your files need post-quantum keys.

Encrypted data captured today can be stored and unlocked once large quantum computers arrive. Here is the threat, in plain terms, and why SpaceBox seals every file with ML-KEM-768.

Most conversations about quantum computing and encryption end with a shrug: large, useful quantum computers do not exist yet, so why worry today? The answer is that an attacker does not need one today. They only need to be patient.

The attack that has not happened yet

Well-resourced adversaries, states and well-funded organisations, already record encrypted traffic and copy stored ciphertext, betting they will be able to decrypt it later. The industry name for this is harvest now, decrypt later.

It works because your data has a shelf life. A medical record, a legal file, a source's identity, a company's intellectual property; these stay sensitive for years or decades. If something needs to remain secret past roughly 2030, the encryption protecting it needs to be strong not just now, but against the machines that arrive later.

Where classical encryption breaks

Almost every encrypted system pairs two things: a fast symmetric cipher such as AES to scramble the actual data, and a public-key key exchange such as RSA or elliptic-curve Diffie-Hellman to agree on the AES key in the first place.

AES itself holds up well. The best known quantum attack against it (Grover's algorithm) only halves the effective key length, so AES-256 stays comfortably strong. The weak point is the key exchange. RSA and elliptic-curve cryptography rely on maths problems (factoring and discrete logarithms) that Shor's algorithm solves efficiently on a large quantum computer. Break the key exchange, recover the AES key, read the file. The strong cipher never mattered.

ML-KEM-768, in plain terms

ML-KEM (formerly known as Kyber) is a key-encapsulation mechanism standardised by NIST in 2024 as FIPS 203. Instead of factoring, it is built on the hardness of lattice problems, which have no known efficient quantum attack. The "768" names the parameter set: a conservative middle option that NIST places at roughly AES-192-equivalent security. It is also small and fast, so it runs comfortably on a phone.

How SpaceBox uses it

Every file you send is sealed on your own device before it goes anywhere. A random content key encrypts the file with AES-256-GCM, and that content key is wrapped to the recipient's public key using ML-KEM-768. Only the recipient's private key, which never leaves their device, can unwrap it. Our servers only ever hold ciphertext.

So even if someone records everything in transit and stores it forever, there is no classical key exchange to break later and no key on our side to steal. The harvest is worthless.

If your files need to stay private past this decade, they need post-quantum keys today.

Why we chose it, and not "our own" crypto

Two rules guide the design. Use standardised, widely-reviewed primitives, and keep the private key on the device. ML-KEM-768 is NIST-standardised and heavily scrutinised, so we do not roll our own algorithms. Pairing a post-quantum key exchange with a proven symmetric cipher is a deliberately conservative choice. The point is not novelty; it is that files you drop today stay unreadable when the machines that could break yesterday's encryption finally arrive.

Start with SpaceBox LiteFree, end-to-end encrypted, post-quantum. No card, no email.

Keep reading

All articles โ†’